npm - @intentius/chant-lexicon-github - Versions diffs - 0.0.18 → 0.0.22 - Mend

@intentius/chant-lexicon-github 0.0.18 → 0.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/dist/integrity.json +14 -4
package/dist/manifest.json +1 -1
package/dist/rules/gha020.ts +40 -0
package/dist/rules/gha021.ts +48 -0
package/dist/rules/gha022.ts +50 -0
package/dist/rules/gha023.ts +44 -0
package/dist/rules/gha024.ts +42 -0
package/dist/rules/gha025.ts +42 -0
package/dist/rules/gha026.ts +40 -0
package/dist/rules/gha027.ts +57 -0
package/dist/rules/gha028.ts +37 -0
package/dist/skills/chant-github.md +1 -1
package/dist/skills/github-actions-security.md +87 -0
package/package.json +20 -2
package/src/codegen/docs.test.ts +19 -0
package/src/codegen/generate.test.ts +12 -0
package/src/codegen/package.test.ts +8 -0
package/src/coverage.test.ts +23 -0
package/src/import/roundtrip.test.ts +206 -0
package/src/lint/post-synth/gha006.test.ts +56 -0
package/src/lint/post-synth/gha009.test.ts +56 -0
package/src/lint/post-synth/gha011.test.ts +61 -0
package/src/lint/post-synth/gha017.test.ts +51 -0
package/src/lint/post-synth/gha018.test.ts +66 -0
package/src/lint/post-synth/gha019.test.ts +66 -0
package/src/lint/post-synth/gha020.test.ts +66 -0
package/src/lint/post-synth/gha020.ts +40 -0
package/src/lint/post-synth/gha021.test.ts +67 -0
package/src/lint/post-synth/gha021.ts +48 -0
package/src/lint/post-synth/gha022.test.ts +45 -0
package/src/lint/post-synth/gha022.ts +50 -0
package/src/lint/post-synth/gha023.test.ts +52 -0
package/src/lint/post-synth/gha023.ts +44 -0
package/src/lint/post-synth/gha024.test.ts +67 -0
package/src/lint/post-synth/gha024.ts +42 -0
package/src/lint/post-synth/gha025.test.ts +65 -0
package/src/lint/post-synth/gha025.ts +42 -0
package/src/lint/post-synth/gha026.test.ts +65 -0
package/src/lint/post-synth/gha026.ts +40 -0
package/src/lint/post-synth/gha027.test.ts +48 -0
package/src/lint/post-synth/gha027.ts +57 -0
package/src/lint/post-synth/gha028.test.ts +48 -0
package/src/lint/post-synth/gha028.ts +37 -0
package/src/lint/rules/deprecated-action-version.test.ts +26 -0
package/src/lint/rules/detect-secrets.test.ts +25 -0
package/src/lint/rules/extract-inline-structs.test.ts +25 -0
package/src/lint/rules/file-job-limit.test.ts +28 -0
package/src/lint/rules/job-timeout.test.ts +31 -0
package/src/lint/rules/missing-recommended-inputs.test.ts +26 -0
package/src/lint/rules/no-hardcoded-secrets.test.ts +31 -0
package/src/lint/rules/no-raw-expressions.test.ts +31 -0
package/src/lint/rules/suggest-cache.test.ts +25 -0
package/src/lint/rules/use-condition-builders.test.ts +31 -0
package/src/lint/rules/use-matrix-builder.test.ts +25 -0
package/src/lint/rules/use-typed-actions.test.ts +39 -0
package/src/lint/rules/validate-concurrency.test.ts +31 -0
package/src/plugin.test.ts +1 -1
package/src/plugin.ts +30 -2
package/src/skills/github-actions-security.md +87 -0
package/src/validate.ts +14 -1
package/src/variables.test.ts +48 -0

package/src/skills/github-actions-security.md ADDED Viewed

@@ -0,0 +1,87 @@
+---
+skill: github-actions-security
+description: GitHub Actions security best practices — secret scanning, OIDC, permissions hardening, supply chain security
+---
+# GitHub Actions Security Playbook
+## Permissions Hardening
+Always set the minimum required permissions at the workflow level:
+```typescript
+new Workflow({
+  name: "CI",
+  on: { push: { branches: ["main"] } },
+  permissions: { contents: "read" },
+});
+```
+For deployments that need write access, scope it to the job:
+```typescript
+new Job({
+  "runs-on": "ubuntu-latest",
+  permissions: { contents: "read", "id-token": "write" },
+  steps: [...],
+});
+```
+## Pin Actions by SHA
+Never use mutable tags like `@v4`. Pin to a full commit SHA:
+```typescript
+new Step({
+  uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11", // v4.1.1
+})
+```
+## OIDC for Cloud Providers
+Use OpenID Connect instead of long-lived secrets:
+```typescript
+// AWS
+new Step({
+  uses: "aws-actions/configure-aws-credentials@v4",
+  with: {
+    "role-to-assume": "arn:aws:iam::123456789012:role/deploy",
+    "aws-region": "us-east-1",
+  },
+})
+```
+## Secret Scanning
+- Never echo secrets in `run:` steps
+- Use `environment` protection rules for production secrets
+- Rotate secrets regularly and audit access logs
+## Supply Chain Security
+- Use `permissions: {}` (empty) as a baseline, then grant only what each job needs
+- Avoid `pull_request_target` with `actions/checkout` (code injection risk)
+- Use Dependabot or Renovate to keep action versions current
+- Add `concurrency` blocks to prevent parallel deploys
+## Concurrency Control
+```typescript
+new Concurrency({
+  group: "${{ github.workflow }}-${{ github.ref }}",
+  "cancel-in-progress": true,
+})
+```
+## Job Timeouts
+Always set timeouts to prevent runaway jobs:
+```typescript
+new Job({
+  "runs-on": "ubuntu-latest",
+  "timeout-minutes": 30,
+  steps: [...],
+});
+```

package/src/validate.ts CHANGED Viewed

@@ -2,7 +2,8 @@
  * Validate generated lexicon-github artifacts.
  */
-import { dirname } from "path";
+import { dirname, join } from "path";
+import { existsSync } from "fs";
 import { fileURLToPath } from "url";
 import { validateLexiconArtifacts, type ValidateResult } from "@intentius/chant/codegen/validate";
@@ -23,6 +24,18 @@ const REQUIRED_NAMES = [
  */
 export async function validate(opts?: { basePath?: string }): Promise<ValidateResult> {
   const basePath = opts?.basePath ?? dirname(dirname(fileURLToPath(import.meta.url)));
+  const generatedDir = join(basePath, "src", "generated");
+  if (!existsSync(generatedDir)) {
+    return {
+      success: false,
+      checks: [{
+        name: "generated-dir",
+        ok: false,
+        error: 'src/generated/ not found — run "chant dev generate" first',
+      }],
+    };
+  }
   return validateLexiconArtifacts({
     lexiconJsonFilename: "lexicon-github.json",

package/src/variables.test.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import { describe, test, expect } from "bun:test";
+import { GitHub, Runner } from "./variables";
+describe("GitHub context variables", () => {
+  test("GitHub.Ref resolves to github.ref expression", () => {
+    expect(GitHub.Ref.toString()).toBe("${{ github.ref }}");
+  });
+  test("GitHub.Sha resolves to github.sha expression", () => {
+    expect(GitHub.Sha.toString()).toBe("${{ github.sha }}");
+  });
+  test("GitHub.Actor resolves to github.actor expression", () => {
+    expect(GitHub.Actor.toString()).toBe("${{ github.actor }}");
+  });
+  test("GitHub has all expected properties", () => {
+    const keys = Object.keys(GitHub);
+    expect(keys).toContain("Ref");
+    expect(keys).toContain("Sha");
+    expect(keys).toContain("Actor");
+    expect(keys).toContain("Repository");
+    expect(keys).toContain("EventName");
+    expect(keys).toContain("Token");
+    expect(keys).toContain("Workspace");
+    expect(keys.length).toBe(25);
+  });
+});
+describe("Runner context variables", () => {
+  test("Runner.Os resolves to runner.os expression", () => {
+    expect(Runner.Os.toString()).toBe("${{ runner.os }}");
+  });
+  test("Runner.Arch resolves to runner.arch expression", () => {
+    expect(Runner.Arch.toString()).toBe("${{ runner.arch }}");
+  });
+  test("Runner has all expected properties", () => {
+    const keys = Object.keys(Runner);
+    expect(keys).toContain("Os");
+    expect(keys).toContain("Arch");
+    expect(keys).toContain("Name");
+    expect(keys).toContain("Temp");
+    expect(keys).toContain("ToolCache");
+    expect(keys.length).toBe(5);
+  });
+});